The allow security policy configured with the app-ID "netbackup" and an "application-default" as a service doesn't work correctly.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The allow security policy configured with the app-ID "netbackup" and an "application-default" as a service doesn't work correctly.

L2 Linker

Dear and valuable Live Community Members,

 

I have a problem understanding the below-described behavior in regard to the security policy used in the firewall: 

 

We have a firewall policy configured to allow NetBackup traffic, but if we configure it by setting the "Application" tab to "netbackup", it often doesn't work (the behavior is random). And if we configure the policy specifying the TCP ports used by netbackup, it works correctly.

As you can see below we have now two allow policies to make it work:

-----------------------------------------------------------------------------------------------------------------------

1) The security policy that specifies the ports used by the application (Application - Any; Service TCP/1556,13724,13782,13722,10102,10082) - it works fine

 

2) The security policy configured with the app ID "netbackup" and an "application-default" as a service  - doesn't work correctly 

 

image001.png

 

I could verify the list of standard ports and as per the KB Tips & Tricks: What Does Application-default Under Service Mean? I was sure that we will need only one policy and that the 2nd policy should be enough for this.

Standard_PortsStandard_Ports

 

Could you please help me to understand why the "Application" field, is not working as expected with the application-default?

 

I hope someone could help me out and let me know if there is something that needs to be corrected (configuration-wise) if that's maybe a bug or an expected behavior...

 

I would kindly like to ask you for some help and advice on this one.

Thank you in advance!

Cheers!

 

3 REPLIES 3

L3 Networker

Hi A_Adamski,

 

I agree with you, you should only need 2nd rule as it contains all ports you included in screenshot.

that is a weird problem, two question if you don't mind.

1) what is your application version on the dash board - is it  Application Version 8699-7991 (04/19/23) ?

2) when you look at the logs for the first rule, which application(s) do you see in the logs?

 

Hello Y-AlwaysMe,

 

1) The Application Version is now 8697-7981 (04/14/23), but it as issue we've got in the past with the 8693-7959 (end of March)

2) The firewall seams to be recognizing the application correctly 

image001 (1).png

 

Is there anything I might be miing out and should verify/correct, or should I ask PA TAC for some support on this one?

 

Thank you in advance!

Hi A_Adamski,

Thank you for information. I suspect the problem will potentially be the unknown-tcp, when you enable Bytes Sent & Bytes Received and look the unknown-tcp between the src and dst IP addresses, I am guessing there will be actual data that is eq or more than 200 bytes in the sent and received columns, which could potentially explain why it would randomly stop working as most packets are normal TCP/1556 packets, and then every now and then unknown-tcp will be sent and it will stop working against the application rule.

Because the application rule you allowed only contains netbackup and you did not define unknown-tcp in your application rule.

 

I personally think there are two options use the L4 service-port based rule or look at custom application / app override - see that article by Reaper.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clc6CAC

  • 1396 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!